topic I have question with SSL decryption. in General Topicshttps://live.paloaltonetworks.com/t5/general-topics/i-have-question-with-ssl-decryption/m-p/271191#M74802
<P>Hi there.</P><P>Few days ago, I 'd changed one of my client's F/W .</P><P>Everything was okay but decryption wasn't working.</P><P>After few times, I found out what problem was causing that issues.<BR />(added decryption profile and changed policies (service: application-default -&gt; any)<BR />But I don't know why do I have to add profile and changed service. So Please let me know why it has to.</P><P>&nbsp;</P><P>there is information :</P><P>&nbsp;</P><P>Before :<BR />Model : 3050<BR />Version : 7.1.7<BR />mode: VW<BR />HA(A-A)</P><P>&nbsp;</P><P>After :<BR />Model : 3260<BR />Version : 8.1.7<BR />mode : L3<BR />HA : A-P</P><P>&nbsp;</P><P>Thank you.</P>Wed, 19 Jun 2019 06:06:56 GMTninecross2019-06-19T06:06:56ZI have question with SSL decryption.https://live.paloaltonetworks.com/t5/general-topics/i-have-question-with-ssl-decryption/m-p/271191#M74802
<P>Hi there.</P><P>Few days ago, I 'd changed one of my client's F/W .</P><P>Everything was okay but decryption wasn't working.</P><P>After few times, I found out what problem was causing that issues.<BR />(added decryption profile and changed policies (service: application-default -&gt; any)<BR />But I don't know why do I have to add profile and changed service. So Please let me know why it has to.</P><P>&nbsp;</P><P>there is information :</P><P>&nbsp;</P><P>Before :<BR />Model : 3050<BR />Version : 7.1.7<BR />mode: VW<BR />HA(A-A)</P><P>&nbsp;</P><P>After :<BR />Model : 3260<BR />Version : 8.1.7<BR />mode : L3<BR />HA : A-P</P><P>&nbsp;</P><P>Thank you.</P>Wed, 19 Jun 2019 06:06:56 GMThttps://live.paloaltonetworks.com/t5/general-topics/i-have-question-with-ssl-decryption/m-p/271191#M74802ninecross2019-06-19T06:06:56ZRe: I have question with SSL decryption.https://live.paloaltonetworks.com/t5/general-topics/i-have-question-with-ssl-decryption/m-p/271357#M74816
<P>Hello,</P><P>Was decryption working prior to the HA change? If not then the policies are incorrect because of decryption.</P><P>&nbsp;</P><P>I.E. the firewall will detect ssl over tcp/443 then decrypt it, the traffic is then reinspected and is determined to be web-browsing over tcp/443 instead of tcp/80 so it breaks unless you allow web-browsing over tcp/443.</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC</A></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Heop that helps.</P>Wed, 19 Jun 2019 14:35:09 GMThttps://live.paloaltonetworks.com/t5/general-topics/i-have-question-with-ssl-decryption/m-p/271357#M74816OtakarKlier2019-06-19T14:35:09ZRe: I have question with SSL decryption.https://live.paloaltonetworks.com/t5/general-topics/i-have-question-with-ssl-decryption/m-p/271920#M74874
<P>I think I may see/understand your situation.&nbsp;</P><P>Prior to 9.x software, the PANOS software did not include secured ports in its AppID.</P><P>&nbsp;</P><P>Example</P><P>When SSL:443 traffic is decrypted, the application becomes web-browsing:443 (port does not change)</P><P>&nbsp;</P><P>because 443 is not app-default for web-browsing, then it is not longer a match.</P><P>If policy was app-default then you would need to change web-browsing to allow 80, 8080, and 443, or change to service any.</P><P>&nbsp;</P><P>maybe this is your issue?</P><P>&nbsp;</P>Thu, 20 Jun 2019 21:30:23 GMThttps://live.paloaltonetworks.com/t5/general-topics/i-have-question-with-ssl-decryption/m-p/271920#M74874SteveCantwell2019-06-20T21:30:23Z